MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e7b1bd921cbfbbc4dea263e444d59c9c0f28b18f9b1a2c57a9bec5a1a6766f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e7b1bd921cbfbbc4dea263e444d59c9c0f28b18f9b1a2c57a9bec5a1a6766f5
SHA3-384 hash: bb9bb7aa112132c42051a6f7f049d54013f3f3fd16db5e1cd93ace81a571d702f4596a367c1740eedb4eaa576b84c4ea
SHA1 hash: 9db8c77fd8967858df5d367f26217d22dbd832d4
MD5 hash: d9cf88564079f0d7a40e6916f536de1f
humanhash: harry-chicken-missouri-river
File name:Profile_AXIN0626Sample.js
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:74'313 bytes
First seen:2026-06-23 08:03:07 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:r+UbF7Sx5zOMFRbY7+1O+5wHqJjPRSyuWEmLfaYsdP4kcNadr4gCLxH2Jid8qsAw:Ogc3GZ
TLSH T1D37322F02EC2B2F82619DA97EDBA6C9184F143454EE462BB05D2108FF865ADB4DF3744
Magika javascript
Reporter abuse_ch
Tags:AveMariaRAT js

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Other.Malware-gen.58617162.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3a3ea81548daf709f914c1
Tags:
ransomware hype
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint repaired
Link:
https://www.filescan.io/uploads/6a3a3e229799578a6c474dfa/reports/372e03cb-e283-4ea7-a815-e95d90b9a2db/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/4e7b1bd921cbfbbc4dea263e444d59c9c0f28b18f9b1a2c57a9bec5a1a6766f5
Verdict:
Malicious
File Type:
js
First seen:
2026-06-22T18:37:00Z UTC
Last seen:
2026-06-24T05:52:00Z UTC
Hits:
~100
Detections:
Trojan.JS.SAgent.sb Trojan-Downloader.Agent.HTTP.ServerRequest HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/4e7b1bd921cbfbbc4dea263e444d59c9c0f28b18f9b1a2c57a9bec5a1a6766f5/results?tab=lookup
Result
Threat name:
AveMaria, KeyLogger, MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1932411
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates processes via WMI
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Keylogger Generic
Yara detected MicroClip
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1932411 Sample: Profile_AXIN0626Sample.js Startdate: 23/06/2026 Architecture: WINDOWS Score: 100 59 api.telegram.org 2->59 61 s3.filebase.com 2->61 63 3 other IPs or domains 2->63 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 81 21 other signatures 2->81 10 wscript.exe 1 2->10         started        13 RegAsm.exe 2 2->13         started        15 RegAsm.exe 1 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 79 Uses the Telegram API (likely for C&C communication) 59->79 process4 dnsIp5 107 Suspicious powershell command line found 10->107 109 Wscript starts Powershell (via cmd or directly) 10->109 111 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->111 113 2 other signatures 10->113 20 powershell.exe 14 18 10->20         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        57 127.0.0.1 unknown unknown 17->57 signatures6 process7 dnsIp8 65 s3.filebase.com 15.204.64.13, 443, 49690, 49694 OVHFR United States 20->65 67 kzaa.co.za 86.107.77.132, 49683, 80 HOSTBETIN Germany 20->67 97 Writes to foreign memory regions 20->97 99 Modifies the context of a thread in another process (thread injection) 20->99 101 Suspicious execution chain found 20->101 103 Injects a PE file into a foreign processes 20->103 28 RegAsm.exe 15 8 20->28         started        33 conhost.exe 20->33         started        105 Installs a global keyboard hook 26->105 signatures9 process10 dnsIp11 69 api.telegram.org 149.154.166.110, 443, 49700, 49703 TELEGRAMVG United Kingdom 28->69 71 icanhazip.com 104.16.185.241, 49699, 49702, 80 CLOUDFLARENET-CloudflareIncUS Canada 28->71 53 C:\Users\user\AppData\Roaming\RegAsm.exe, PE32+ 28->53 dropped 55 C:\Users\user\...\DumpBrowserSecrets.exe, PE32+ 28->55 dropped 115 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->115 117 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->117 119 Tries to steal Mail credentials (via file / registry access) 28->119 121 Found many strings related to Crypto-Wallets (likely being stolen) 28->121 35 DumpBrowserSecrets.exe 13 28->35         started        39 DumpBrowserSecrets.exe 7 28->39         started        123 Installs a global keyboard hook 33->123 file12 signatures13 process14 file15 51 C:\Users\...\DllExtractChromiumSecrets.dll, PE32+ 35->51 dropped 83 Antivirus detection for dropped file 35->83 85 Multi AV Scanner detection for dropped file 35->85 87 Early bird code injection technique detected 35->87 89 Queues an APC in another process (thread injection) 35->89 41 msedge.exe 5 35->41         started        43 conhost.exe 35->43         started        45 chrome.exe 35->45         started        91 Tries to harvest and steal browser information (history, passwords, etc) 39->91 93 Writes to foreign memory regions 39->93 95 Allocates memory in foreign processes 39->95 47 conhost.exe 39->47         started        49 chrome.exe 39->49         started        signatures16 process17
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4e7b1bd921cbfbbc4dea263e444d59c9c0f28b18f9b1a2c57a9bec5a1a6766f5
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e7b1bd921cbfbbc4dea263e444d59c9c0f28b18f9b1a2c57a9bec5a1a6766f5/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/4e7b1bd921cbfbbc4dea263e444d59c9c0f28b18f9b1a2c57a9bec5a1a6766f5
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2026-06-22 23:14:50 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jz5rxwjbzp53ytpkey7eitkzzhapfcyy7gy2frl2tpwfugthm32q._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/260623-jyq3dabs3k/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Badlisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e7b1bd921cbfbbc4dea263e444d59c9c0f28b18f9b1a2c57a9bec5a1a6766f5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments